PGP signing commits

Jarmo Tiitto jarmo.tiitto at gmail.com
Sun Jun 14 16:42:44 BST 2026


> IMO this creates more trouble than it's worth, for new contributors but
probably also for other people (think rebases, etc).

> I don't see a single good reason to require gpg signed signatures,  this
will only create a higher barrier of entry for newcommers, and not just
newcommers - there are a lot of *current* developers that never bothered to
create or use a gpg signature. the tooling around it is honestly horrible

I was unaware of the the general stance when I requested enabling gpg
signed commits. I mostly though of it as "a nice to have" thing that would
improve trust.

I have been using GPG signing from around 2023-2024 to this day, and I
agree it is a hurdle to setup. In practice the only hurdle for me is that I
need to open my keyring once a day and after this the signing is automatic,
including rebases.

I do think contributors who have developer rights (can merge to master)
should eventually enable it. One off new contributors don't need to enable
it, though here the signing would be most beneficial.

Looks like I'll need to soften my stance on this, and we can keep the GPG
signing optional.

Thanks for the discussion.

(sent from gmail)


la 13.6.2026 klo 10.35 Tomaz Canabrava (tomaz.canabrava at gmail.com)
kirjoitti:

>
>
> On Thu, Jun 11, 2026 at 10:34 PM Sven Brauch <mail at svenbrauch.de> wrote:
>
>> Hi,
>>
>> On 11.06.26 21:12, Martin Bednar wrote:
>> > On the topic of requiring GPG signed commits, opened here:
>> >
>> https://invent.kde.org/kdevelop/kdevelop/-/merge_requests/896#note_1519822
>>
>> What do you effectively do with these signatures? I.e. what meaningful
>> verification can you do assuming a commits is signed, in doubt, by some
>> random guy nobody has ever met? At best, you can say "this and this
>> contribution are by the same person", but not even the opposite is true
>> since people can just say they lost their key.
>>
>> IMO this creates more trouble than it's worth, for new contributors but
>> probably also for other people (think rebases, etc).
>>
>
> I Completely agree with Sven.
> I don't see a single good reason to require gpg signed signatures,  this
> will only create a higher barrier of entry for newcommers, and not just
> newcommers - there are a lot of *current* developers that never bothered to
> create or use a gpg signature. the tooling around it is honestly horrible.
> Having the gpg signed commit is - imo - the same thing as having the
> signed-off-by line.
> Nothing.
>
>
>
>> > And on a slightly related note: Anyone going to Akademy?
>>
>> Not this year, sorry :(
>>
>> Best,
>> Sven
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kdevelop-devel/attachments/20260614/a7308e3d/attachment.htm>


More information about the KDevelop-devel mailing list